A Warranted Response to Inaccurate Optiv Research
On March 22, 2021, Optiv published a blog, which claims to detail how our authentication workflow could be leveraged to bypass multi-factor authentication (MFA) in MobileIron Core. We want to strongly refute several findings in the report, which was based off conducting penetration tests against a MobileIron Core server that we believe wasn’t properly configured and hardened. It’s important to note that we provide documentation for all MobileIron Core customers to configure security settings to match their corporate policies and mitigate these risks, which are applicable to any software and cloud vendor.
- Hardcoded Mobile@Work API Key: The report states, “Through the use of a hardcoded API in the Mobile@Work agent, it is possible for an unauthenticated attacker to discover an organization’s MobileIron authentication endpoint. This attack vector represents a low risk and relies on the extraction of the Mobile@Work agent’s API key and enablement of MobileIron discovery services to be successful. An organization can reduce the attack vector by disabling MobileIron discovery services.”
Our response: We agree that this finding presents a low risk. The "Server Name Lookup" feature improves the user registration experience. It is public information, and the information can also be obtained using other publicly available methods. However, this feature can be disabled by customers, which would eliminate this risk completely.
- Hardcoded Mobile@Work Encryption Key: The report states, “Through the use of a hardcoded encryption key in the Mobile@Work agent, it is possible for an unauthenticated attacker to construct MobileIron authentication requests. Additionally, it would be possible for a well-positioned attacker to leverage this deficiency to capture account credentials via man-in-the-middle (MitM) tactics. This attack vector represents a medium risk and relies on the extraction of the Mobile@Work agent’s encryption key to be successful. Additionally, MitM style attacks would need to inject or bypass the existing MobileIron TLS trust channel for success, which does provide some level of mitigating control by relying on TLS to provide transport security. However, if a mobile device were to be compromised, having this encryption key could allow visibility to application data streams. Mitigation of this issue is not known to exist, as it would require MobileIron to remove the encryption functionality of the username/password/pin information or eliminate the hardcoded nature of the encryption key.”
Our response: We encrypt and transport user credentials over TLS, an industry best practice. In our case, we encrypt the password twice – once using the hardcoded encryption key and again using TLS. The MiTM attack described here is applicable to all cloud service providers. There is no causality or connection between credential encryption and the MiTM attack.
- Account Enumeration: The report states, “The account authentication process allows outside entities to enumerate user accounts and perform authentication attacks without fear of triggering account lockout conditions. This attack vector represents a medium risk and does not carry additional requirements for success. At the time of writing this paper, mitigation of this issue is not known to exist. An organization can obtain situational awareness of malicious activity by monitoring the MobileIron endpoint for excessive authentication requests.”
Our response: It's likely Optiv's assessment was based on attacking a MobileIron Core server that wasn’t properly hardened. Lockout settings for both the password and PIN can and should be configured in the MobileIron Core admin console to mitigate the risk of password spraying attacks. This attack vector represents a low risk, assuming the MobileIron Core is configured with password and PIN authentication, and appropriate lockout settings consistent with customer’s policies. PIN codes are single use and sent to users over a separate channel.
The risks outlined in this report are applicable to any software and cloud vendor. Additionally, we provide documentation for all customers for hardening best practices. We strongly recommend that customers configure their MobileIron Core products using multi-factor authentication and configure lockout settings based on their corporate policies.